NT Virus Threatens Much, Does Little By David A. Harvey, Help Channel
October 14, 1999 3:09 PM PT URL: <> Bad news for Microsoft Windows NT users worldwide, a first: an NT-based virus that integrates itself at the NT's driver core. This kernel-level virus, dubbed WinNT.Infis, operates as an NT driver, and loads into memory on systems running Windows NT 4.0 under every service pack (2-6). It does not run on NT 3.5, Windows 95, 98, or 2000 systems. The virus, which originated in Russia, is just beginning to crop up in the US. It's also important to note that the virus will only operate when running under an account that has administrative rights. While WinNT.Infis does not appear to have any serious effects, it does have a bug in its infection routing. The bug corrupts programs, causing them to abort on startup with the NT error message, "is not a valid Windows NT application." At present, problems have been reported with Microsoft Paint (MSPAINT.EXE), Calculator (CALC.EXE), CD-Player (CDPLAYER.EXE), but other programs may be susceptible. The good news is that the virus cannot write to read-only files, such as CMD.EXE. WinNT.Infis works as a memory resident, file-infecting virus. It loads at Windows startup, corrupts files, and creates a driver file named INF.SYS in the WinNTSystem32Drviers folder. Additionally, WinNT.Infis creates a registry key to control its loading at system startup. The key is: RegistryMachineSystemCurrentControlSetServicesinf. The values for the key are: Type=1 (telling NT, that this is a standard driver for Windows NT), Start=2 (how the driver starts), and ErrorControl=1 (which causes NT to start the driver, even if there's an error in the driver). As the virus hangs out in NT's memory, it hooks file opens, and then writes itself to the end of Portable Executable Win32 (PE files) files. The one clue you'll have is if you're able to peek into a PE files' header. The virus sets the time and date stamp in the PE header to '-1', or FFFFFFFFh in hex. Installation is pernicious. The virus simply copies a "dropper" application that sets the lines in the registry and extracts and copies the INF.SYS to the drivers folder. The virus executes the next time NT is rebooted. At this date, there are only a few companies with software to detect this virus: Central Command, and the affiliated Kaspersky Lab
, and Symantec . Microsoft has acknowledged the problem, and we would expect US anti-virus software vendors to issue updates soon. If you are infected, you can stop the virus simply by using NT's Device Manager to prevent INF.SYS from starting at system boot. But, you really do need to get the some software to totally eradicate this virus, unless you're willing to poke through the header of every PE application on your system. Because this is a parasitic, file-infecting, memory-resident virus, you cannot be certain that you have eliminated it until every potential infectious target has been scanned. Simply deleting INF.SYS and eradicating the registry keys will be fine for one reboot, but infected files will simply re-install the virus, causing re-infection on the next boot. You could, ostensibly, re-delete INF.SYS, and re-edit the registry before every boot, but, isn't that what anti-virus software is for in the first place?